# ISO/IEC 27001 Gap Analysis Report — Tender Management System | Field | Value | |-------|-------| | **Document ID** | ISMS-004 | | **Version** | 1.0 | | **Status** | Draft — Pending review | | **Owner** | Information Security Officer (ISO) | | **Last Updated** | 2026-06-11 | | **Assessment Date** | 2026-06-11 | | **Standard** | ISO/IEC 27001:2022 | | **Scope** | [ISMS Foundation §3](./ISMS_FOUNDATION.md#3-isms-scope) | Related: [Statement of Applicability](./STATEMENT_OF_APPLICABILITY.md) | [ISO 27001 Roadmap](./ISO27001_ROADMAP.md) --- ## 1. Executive Summary This report assesses the current state of the Tender Management (TM) ISMS against **ISO/IEC 27001:2022** mandatory clauses (4–10) and Annex A controls. The assessment is based on documentation review, codebase analysis, and existing operational practices. ### Overall Maturity | Area | Maturity | Summary | |------|----------|---------| | **Clauses 4–6** (Context, Leadership, Planning) | 🟡 Partial | Foundation docs exist; formal leadership approval pending | | **Clause 7** (Support) | 🟡 Partial | Competence and awareness programs not yet formalized | | **Clause 8** (Operation) | 🟡 Partial | Technical controls strong; operational procedures incomplete | | **Clause 9** (Performance evaluation) | 🔴 Minimal | No internal audit program or management review yet | | **Clause 10** (Improvement) | 🔴 Minimal | Corrective action process not formalized | | **Annex A** (93 controls) | 🟡 Partial | 6 implemented (7% of 81 applicable), 56 partial (69%), 19 not implemented (23%), 12 N/A (13%) — per [SoA §7](./STATEMENT_OF_APPLICABILITY.md#7-summary-statistics) | ### Key Strengths - Application-layer security controls (JWT, RBAC, validation, XSS, audit logging) - Clean Architecture with dependency injection and structured logging - Initial ISMS documentation suite (foundation, risk matrix, policies) - Configurable rate limiting and environment-based secret management ### Critical Gaps (Must Address Before Certification) 1. No internal audit program or management review records (Clauses 9.2, 9.3) 2. No SIEM/centralized monitoring (A.8.16) 3. No formal vulnerability management in CI (A.8.8) 4. Secrets in repository / no vault (A.8.9, R-013) 5. No security awareness training program (A.6.3) 6. No vendor security assessments (A.5.19–A.5.22) 7. Encryption at rest not confirmed (A.8.24) 8. Executive sign-off on ISMS scope and policies pending --- ## 2. Assessment Methodology | Step | Activity | |------|----------| | 1 | Review ISMS scope and asset inventory | | 2 | Map existing controls to ISO 27001:2022 clauses and Annex A | | 3 | Interview technical leads (informal / codebase-based) | | 4 | Classify each requirement: **Implemented**, **Partial**, **Not Implemented**, **N/A** | | 5 | Prioritize gaps by risk linkage ([Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.md)) | | 6 | Define remediation actions in [ISO27001_ROADMAP.md](./ISO27001_ROADMAP.md) Phase 2 | ### Maturity Scale | Rating | Definition | |--------|------------| | **Implemented** | Control documented, implemented, and operating effectively | | **Partial** | Control exists informally or is incomplete | | **Not Implemented** | No control or documentation | | **N/A** | Not applicable to TM scope (with justification) | --- ## 3. Clause 4 — Context of the Organization | Ref | Requirement | Status | Evidence | Gap / Remediation | |-----|-------------|--------|----------|-------------------| | 4.1 | Understanding the organization and its context | **Partial** | [ISMS Foundation §2](./ISMS_FOUNDATION.md#2-organizational-context) | Formalize interested parties register | | 4.2 | Understanding needs of interested parties | **Partial** | Business objectives in ISMS Foundation | Document customers, regulators, partners explicitly | | 4.3 | Determining ISMS scope | **Partial** | [ISMS Foundation §3](./ISMS_FOUNDATION.md#3-isms-scope); [Scope Approval](./ISMS_SCOPE_APPROVAL.md) draft | Executive sign-off required | | 4.4 | Information security management system | **Partial** | ISMS doc structure defined | Complete PDCA operating records | **Gap actions:** - Create interested parties register (customers, EU DPA, certification body, cloud providers) - Obtain signed scope approval from Executive Sponsor --- ## 4. Clause 5 — Leadership | Ref | Requirement | Status | Evidence | Gap / Remediation | |-----|-------------|--------|----------|-------------------| | 5.1 | Leadership and commitment | **Partial** | Roadmap exists; sponsor not yet assigned | Appoint Executive Sponsor; first management review | | 5.2 | Policy | **Partial** | [Information Security Policy](./policies/information-security-policy.md) draft | Approve and communicate policy | | 5.3 | Organizational roles, responsibilities, authorities | **Partial** | [ISMS Foundation §5](./ISMS_FOUNDATION.md#5-roles-and-responsibilities) | Assign named individuals to ISO, DPO roles | **Gap actions:** - Name and document ISO and DPO (can be interim) - Communicate approved Information Security Policy to all staff --- ## 5. Clause 6 — Planning | Ref | Requirement | Status | Evidence | Gap / Remediation | |-----|-------------|--------|----------|-------------------| | 6.1.1 | Actions to address risks and opportunities | **Partial** | Risk matrix with 23 risks | Link opportunities (e.g. certification as market differentiator) | | 6.1.2 | Information security risk assessment | **Implemented** | [Risk Assessment Matrix](./RISK_ASSESSMENT_MATRIX.md), [Procedure](./procedures/risk-assessment-procedure.md) | Maintain quarterly reviews | | 6.1.3 | Information security risk treatment | **Partial** | Treatment plans in risk matrix | Execute Phase 2 technical remediations | | 6.2 | Information security objectives | **Partial** | [Information Security Policy §4](./policies/information-security-policy.md#4-information-security-objectives) | Track KPIs monthly | | 6.3 | Planning of changes | **Not Implemented** | — | Document change planning in change management procedure (Phase 2) | **Gap actions:** - Begin executing risk treatment plans (R-001, R-010, R-013, R-015, R-023 priority) - Draft change management procedure --- ## 6. Clause 7 — Support | Ref | Requirement | Status | Evidence | Gap / Remediation | |-----|-------------|--------|----------|-------------------| | 7.1 | Resources | **Partial** | Roadmap resource estimate | Allocate part-time ISO capacity | | 7.2 | Competence | **Not Implemented** | — | Define security competency requirements per role | | 7.3 | Awareness | **Not Implemented** | Acceptable Use Policy draft | Launch onboarding + annual training | | 7.4 | Communication | **Partial** | Docs in `docs/security/` | Define internal/external comms plan for ISMS | | 7.5 | Documented information | **Partial** | ISMS doc suite | Document control procedure; version approval workflow | **Gap actions:** - Security awareness program (A.6.3) — target Q3 2026 - Document control: naming, approval, retention standards --- ## 7. Clause 8 — Operation | Ref | Requirement | Status | Evidence | Gap / Remediation | |-----|-------------|--------|----------|-------------------| | 8.1 | Operational planning and control | **Partial** | DevOps practices informal | Formalize change and deploy procedures | | 8.2 | Information security risk assessment | **Implemented** | Quarterly procedure defined | Execute first scheduled review Sep 2026 | | 8.3 | Information security risk treatment | **Partial** | Phase 2 roadmap | Implement prioritized controls | **Gap actions:** - Operational procedures for backup, incident response (drafted — need testing records) - Change management procedure (Phase 2) --- ## 8. Clause 9 — Performance Evaluation | Ref | Requirement | Status | Evidence | Gap / Remediation | |-----|-------------|--------|----------|-------------------| | 9.1 | Monitoring, measurement, analysis, evaluation | **Partial** | KPIs defined in roadmap | Implement SIEM; monthly KPI reporting | | 9.2 | Internal audit | **Not Implemented** | — | Schedule first internal audit Q1 2027 | | 9.3 | Management review | **Not Implemented** | — | First review within 90 days of scope approval | **Gap actions:** - **Critical:** Establish internal audit program before Stage 2 audit - Schedule first management review meeting - Implement monitoring (A.8.16) for measurable KPIs --- ## 9. Clause 10 — Improvement | Ref | Requirement | Status | Evidence | Gap / Remediation | |-----|-------------|--------|----------|-------------------| | 10.1 | Continual improvement | **Partial** | PDCA in roadmap | Track improvement actions from audits/incidents | | 10.2 | Nonconformity and corrective action | **Not Implemented** | — | Define CAPA (Corrective and Preventive Action) procedure | **Gap actions:** - CAPA procedure linked to incident response and audit findings - Nonconformity register template --- ## 10. Annex A Summary by Theme Full control-level detail: [Statement of Applicability](./STATEMENT_OF_APPLICABILITY.md) | Theme | Total Controls | Implemented | Partial | Not Impl. | N/A | |-------|----------------|-------------|---------|-----------|-----| | **A.5** Organizational | 37 | 2 | 25 | 10 | 0 | | **A.6** People | 8 | 0 | 6 | 2 | 0 | | **A.7** Physical | 14 | 0 | 3 | 0 | 11 | | **A.8** Technological | 34 | 4 | 22 | 7 | 1 | | **Total** | **93** | **6** | **56** | **19** | **12** | *Counts match [Statement of Applicability §7.1](./STATEMENT_OF_APPLICABILITY.md#71-by-theme). "Partial" indicates the control exists but lacks full documentation, testing, or operating evidence.* ### A.5 — Top Organizational Gaps | Control | Title | Status | Priority | |---------|-------|--------|----------| | A.5.19–A.5.22 | Supplier relationships | Not Implemented | High | | A.5.29–A.5.30 | Business continuity | Partial | High | | A.5.35 | Independent review | Not Implemented | Medium | | A.5.7 | Threat intelligence | Not Implemented | Medium | | A.5.32 | Intellectual property | Partial | Low | ### A.6 — Top People Gaps | Control | Title | Status | Priority | |---------|-------|--------|----------| | A.6.3 | Security awareness training | Not Implemented | High | | A.6.1 | Screening | Not Implemented | Medium | | A.6.6 | NDAs | Partial | Medium | | A.6.8 | Event reporting | Partial | Medium | ### A.7 — Physical Controls **11 N/A** — cloud-hosted infrastructure; physical security transferred to cloud provider per shared responsibility model (A.7.1–A.7.6, A.7.8, A.7.10–A.7.13). Provider compliance evidence required (A.5.23). **3 Partial** — A.7.7, A.7.9, A.7.14 remain applicable for personnel devices accessing TM systems (screen lock, off-premises asset security, equipment disposal). ### A.8 — Top Technological Gaps | Control | Title | Status | Priority | |---------|-------|--------|----------| | A.8.8 | Vulnerability management | Not Implemented | Critical | | A.8.16 | Monitoring activities | Partial | Critical | | A.8.24 | Cryptography | Partial | High | | A.8.2 | Privileged access rights | Partial | High | | A.8.32 | Change management | Partial | High | | A.8.29 | Security testing | Not Implemented | High | | A.8.12 | Data leakage prevention | Not Implemented | Medium | ### A.8 — Fully Implemented Technical Controls (Status = Yes) | Control | Implementation | |---------|----------------| | A.8.3 | RBAC + company-scoped middleware (`pkg/authorization`) | | A.8.4 | Git-based source control with PR workflow | | A.8.15 | Structured logging + `pkg/audit` | | A.8.26 | Govalidator, XSS policy, Swagger | Additional controls (e.g. A.8.5 authentication, A.8.9 configuration, A.8.28 secure coding) are **Partial** in the SoA — implemented in code but lacking full operating evidence or completeness (MFA, vault, SAST). --- ## 11. Gap Remediation Roadmap Aligned with [ISO27001_ROADMAP.md](./ISO27001_ROADMAP.md): | Priority | Gap | Remediation | Phase | Target | |----------|-----|-------------|-------|--------| | P0 | No incident response testing | Tabletop exercise | 2 | Q2 2026 | | P0 | Secrets in repo | Vault + secret scanning | 2 | Q2 2026 | | P0 | No vulnerability scanning | govulncheck in CI | 2 | Q2 2026 | | P0 | No management review | First review meeting | 1 | Q3 2026 | | P1 | No SIEM | Centralized logging + alerts | 2 | Q3 2026 | | P1 | No encryption at rest | MongoDB/MinIO encryption | 2 | Q3 2026 | | P1 | No vendor assessments | Vendor questionnaire | 2 | Q4 2026 | | P1 | No security training | Awareness program | 2 | Q3 2026 | | P1 | No internal audit | Audit program + first audit | 3 | Q1 2027 | | P2 | No CAPA procedure | Document CAPA process | 2 | Q3 2026 | | P2 | No penetration test | External pentest | 4 | Q2 2027 | --- ## 12. Conclusion The TM platform has a **solid technical security foundation** but lacks the **operational and governance evidence** required for ISO 27001 certification. Phase 1 documentation (foundation, risk assessment, policies, SoA, gap analysis) addresses Clauses 4.3, 6.1.2, and 5.2 at a draft level. **Recommendation:** Proceed to Phase 2 control implementation while pursuing executive approval of scope and policies. Target first internal audit no later than **Q1 2027** to allow 3+ months of operating evidence before Stage 2 audit. --- ## 13. Document Control | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2026-06-11 | Engineering | Initial gap analysis | | 1.1 | 2026-06-11 | Engineering | Annex A theme table and executive summary aligned with SoA §7 | **Review** | Role | Name | Signature | Date | |------|------|-----------|------| | ISO | _Pending_ | | | | Executive Sponsor | _Pending_ | | |